URL: https://github.com/freeipa/freeipa/pull/2632 Author: flo-renaud Title: #2632: [Backport][ipa-4-6] certupdate: add commentary about certmonger behaviour Action: opened
PR body: """ This PR was opened automatically because PR #2622 was pushed to master and backport to ipa-4-6 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2632/head:pr2632 git checkout pr2632
From b30fbb69b9b67a380de390bb75a190fb207430a6 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Fri, 30 Nov 2018 21:53:21 +1100 Subject: [PATCH] certupdate: add commentary about certmonger behaviour It is not obvious why we "renew" (reuse only) the IPA CA certificate in ipa-certupdate. Add some commentary to explain this behaviour. Related: https://pagure.io/freeipa/issue/7751 See also: https://github.com/freeipa/freeipa/pull/2576#issuecomment-442220840 --- ipaclient/install/ipa_certupdate.py | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/ipaclient/install/ipa_certupdate.py b/ipaclient/install/ipa_certupdate.py index 878af25042..1311dc62e8 100644 --- a/ipaclient/install/ipa_certupdate.py +++ b/ipaclient/install/ipa_certupdate.py @@ -165,6 +165,17 @@ def update_server(certs): if request_id is not None: timeout = api.env.startup_timeout + 60 + # The dogtag-ipa-ca-renew-agent-reuse Certmonger CA never + # actually renews the certificate; it only pulls it from the + # ca_renewal LDAP cert store. + # + # Why is this needed? If the CA cert gets renewed long + # before its notAfter (expiry) date (e.g. to switch from + # self-signed to external, or to switch to new external CA), + # then the other (i.e. not caRenewalMaster) CA replicas will + # not promptly pick up the new CA cert. So we make + # ipa-certupdate always check for an updated CA cert. + # logger.debug("resubmitting certmonger request '%s'", request_id) certmonger.resubmit_request( request_id, ca='dogtag-ipa-ca-renew-agent-reuse', profile='')
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org